A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories, and all it took was a single opened GitHub issue.
The Claude Code GitHub Action prompt injection vulnerability was discovered by RyotaK of GMO Flatt Security, and Anthropic fixed the core bypass within four days in January, with further hardening through the spring, and the fixes are included in claude-code-action version 1.0.94.
Anthropic rated the issues at 7.8 under CVSS v4.0 and paid a bug bounty, and because Anthropic's own action repository used the same vulnerable workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it.
What Claude Code GitHub Action Does
Claude Code GitHub Action drops Claude into CI/CD pipelines to triage issues, add labels, review pull requests, or run slash commands.
By default, the workflow gets read and write access to a repository's code, issues, pull requests, discussions, and workflow files, and because those permissions are broad, the action is supposed to be picky about who can trigger it, only users with write access.
The Claude Code GitHub Action prompt injection vulnerability bypassed this restriction.
The [bot] Bypass
The trigger check had a hole, it waved through any actor whose name ended in [bot] on the assumption that GitHub Apps are trusted things that administrators install.
Trouble is, anyone can register a GitHub App, install it on a repository they own, and use its token to open an issue or pull request on any public repository, and the Claude Code GitHub Action prompt injection saw "a bot" and let the attacker's content through.
Tag mode had an extra check to confirm the actor was a real human, but agent mode did not, which left it open to the bypass.
The Indirect Prompt Injection
From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task.
RyotaK wrote an issue whose body looked like an error message, and then refined the prompt until Claude would "recover" by running the commands buried in it.
The target was /proc/self/environ, the Linux file that holds a process's environment variables, secrets included, and Claude Code blocks naive reads, but RyotaK bypassed the guard anyway and got Claude to write the values back into the issue where the attacker could grab them.
The OIDC Token Theft
The real prize in those environment variables is the credential pair GitHub Actions uses to request an OIDC token, a signed token that proves "I am this workflow running in this repository."
Claude Code trades that token with Anthropic's backend for a Claude GitHub App installation token with write access, and if an attacker steals those credentials and replays the exchange, they hold write access to the target's code, issues, and workflows.
Aim the Claude Code GitHub Action prompt injection at the claude-code-action repository itself, and the attacker could poison the action that downstream projects pull.
The Softer Route
RyotaK also flagged a softer route that skipped the bot trick entirely.
Anthropic's own example issue-triage workflow shipped with allowed_non_write_users: "*", which lets anyone trigger it, a setting that Anthropic's documentation already flags as risky.
Worse, Claude was posting task summaries to the workflow run's publicly visible summary panel, a ready-made way to leak data out, and plenty of repositories copied that example and inherited the hole.
Editing Trusted Issues
There is also a path for an attacker who can edit issues but cannot trigger Claude on their own, they can edit a trusted user's issue after it has fired the workflow but before Claude reads it, and the payload rides in as "trusted" input.
The Claude Code GitHub Action prompt injection vulnerability had multiple variants.
The Real-World Cline Incident
None of this is theoretical, the same setup, an AI issue-triager plus broad permissions plus prompt injection, already caused a real supply-chain hit.
In February 2026, a prompt-injected issue title against Cline's claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorized [email protected].
The rogue version only force-installed a separate, non-malicious AI agent and was pulled about eight hours later, but the same chain could just as easily have shipped real malware to everyone who updated.
The HackerBot-Claw
The autonomous "HackerBot-Claw" bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others, though when it tried to prompt-inject a Claude-based reviewer through a poisoned configuration file, Claude caught it and refused.
There is no public sign that this exact path, the one that poisons Anthropic's own action, was used against a live target, and RyotaK proved it only in his own test repositories.
50 Separate Bypasses
RyotaK says he has now reported around 50 separate ways to bypass Claude Code's permission system and run commands, part of a steady run of prompt-injection flaws in AI coding agents.
Prompt injection still is not solved, and an agent with real tools and real tokens can be pushed as far as its permissions allow.
Your Workflow Can Be Kept Safe
Security Notice–The Claude Code GitHub Action has been patched for version v1.0.94
To keep your workflow stable moving ahead please do:
1. Update the claude-code-action to version 1.0.94 or higher
2. Audit any workflows that allow users to trigger CLAUDE to ensure they don't have write permissions or bot capabilities. Remove any secrets (other than the anthropic api token & the GITHUB_TOKEN) and any tools that could be used to exfiltrate data.
3. Do NOT provide the permitted_non_write_users:"*" since allowing all users to run your workflow could potentially put you at high risk.
4. Review the summary panel of your workflow; if it shows that claude is posting task summaries to a public summary panel, disable this capability, or limit the information that is displayed.
5. Keep an eye on any strange activity on issues; the prompt injection exploit requires an issue to be opened/edited in order for prompt injection to occur, and so if you see any strangeness within an issue, it could be indicative of an attempted exploit using the prompt injection method.
Final Thoughts
The Claude Code GitHub Action prompt injection vulnerability is a warning for the age of AI-powered development tools.
An attacker with nothing more than a crafted GitHub issue could steal OIDC tokens and gain write access to code, issues, and workflows, and because Anthropic's own action repository used the same vulnerable workflow, the attack could have poisoned the action itself.
The Claude Code GitHub Action prompt injection flaw was fixed within four days of responsible disclosure, but the Cline incident shows that real-world exploitation is already happening.
If you use Claude Code GitHub Action, update to version 1.0.94 or later today, audit your workflows, and assume that your AI agent will follow instructions hidden in untrusted content.
FAQ Section
What is the Claude Code GitHub Action prompt injection vulnerability?
The vulnerability allowed an attacker to bypass the write-access trigger check by using a [bot] actor, then use indirect prompt injection to steal OIDC tokens from /proc/self/environ, and then exchange those tokens for write access to the target repository.
Has this vulnerability been exploited in the wild?
A similar prompt injection attack against Cline's claude-code-action triage workflow stole an npm publish token and pushed an unauthorized [email protected] in February 2026, and the "HackerBot-Claw" bot probed many repositories though it was caught.
What versions of Claude Code GitHub Action are patched?
The fixes are included in claude-code-action version 1.0.94 and later.
What should I do if I use Claude Code GitHub Action?
Update to version 1.0.94 or later, audit any workflow that lets users without write access trigger Claude, avoid allowed_non_write_users: "*", and do not feed any secret beyond the Anthropic API key and GITHUB_TOKEN to untrusted inputs.
How much bypass has reported RyotaK?
RyotaK has stated that he has reported nearly 50 separate methods of bypassing the permission system and executing commands based upon Claude Code’s system. This demonstrates that, at this time, prompt injections in AI code agents are still an ongoing issue that has yet to be resolved.
